Doxbin’s Nachash On Operation Onymous (P.2)

Last week the FBI took down 410 .onion sites that belong to 27 different sites that offered services and products ranging from Class A drugs to hitmen-for-hire with 16 other Europol nations as a part of operation Onymous.

Many operators are still at large despite the FBI’s takedown of these sites. One of the co-operators of Doxbin, a site that allowed for people to post personal identifying information used for malicious purposes shared details of the sites takedown with Tor developers in a bid to help them find ways to protect other users of the Tor network.

In an email entitled “yes, hello, internet supervillain here” to tor-dev the operator who goes by the name Nachash said that his server, which a virtual private server on the German hosting service Hetzner.

According to the logs that he sent tor-dev between August 21st and August 28th there where a stream of requests that were preceded by “%5c%22” which in PHP requests would be parsed as a quotation mark by PHP code. The quotes in the requests appear to be URLs for websites like Twitter and Hack forums whereas in reality they were loaded with fake subdirectories like “/old/code/fail”

With a flood of these requests, traffic was pushed up to 1.7 million page requests which is 3 times the regular traffic the site received. The same thing repeated a month later and nachash said he began redirecting the requests to another Tor hidden service site (the hidden wiki’s child pornography sites directory) also added a grip -v”—the “invert match” feature for the GNU grep command, which excludes a specific pattern from output—“to my log report script in order to filter out the noise,” nachash added. “[this was] possibly a mistake, but we both tailed logs and watched for something like a different attack style that the DDoS was being used to cover and never noticed anything.”

Nachash also tweeted a graph showing Doxbins traffic history:

A theory that has surfaced is that law enforcements attack was a bad to force the sites .onion addresses to follow paths that went over the nodes that where setup by law enforcement. By flooding the circuits through secure nodes law enforcements made it possible to connect only through tor nodes that they controlled. Ofcourse this theory begs the question how many nodes do the combined law enforcement of the nations involved control since there are just over 6000 tor nodes.

Whilst the take down of Silk Road and Doxbin won’t have a major implications on the drug market, it could have serious consequences when it comes to the security of the Tor network in general. If governments could force tor traffic to be forced through nodes that they control it could present serious privacy concerns for whistle-blowers, political activists and dissidents, journalists, and others trying to avoid the eyes of oppressive regimes.

It’s important to keep in mind that we do not know for certain what method exactly law enforcement used since nothing much has been revealed by them yet. Tor Devs will most likely be keen to hear what law enforcement have to say regarding their method of taking down the sites in a bid to ensure the security of the tor network and the anonymity of its users.

This is exactly what I think has happened – the only way to overcome this is for every Tor user to setup a separate Bridge relay on their network. Increase the global relays – also to just spread Tor around everywhere.

The US has a server system that’s approx 35 football fields in size (maybe more?) – how many nodes do you think they can set up? It still doesn’t mean that the puzzle is solved there. The data encryption is still scattered and strong, the issuse is how much they can collate and what equations they’re using in order to piece together the info. I think it’s a series of the above, plus IP traces – if you can associate an IP to a specific traffic set, then you don’t really need to decrypt the data – you do as above – take the server host by the neck and tell them to play ball.

The only real way to minimise tracking, is to have the server randomly, but periodically, shutdown and reboot from other hosts around the globe. Whilst constantly buying new space to keep shifting the markets forward – this would mean that (theoretically) – if you can keep shifting the server (even if you bounce to and from the same hosting services) that there would never be a breadcrumb trail. (unless the server was discovered and attacked).